CVE-2026-7817

Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...

Exploit for Path Traversal in Gogs

GOGS RCE cve-2025-8110 Gogs is a lightweight and self-hosted...

EUVD-2026-19285

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

CVE-2026-32111

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network...

CVE-2026-32890

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

PT-2026-26545

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

EUVD-2026-11383

ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle...

CVE-2025-63391

Open-WebUI is affected up to version 0.6.32. The vulnerability is an authentication bypass at the /api/config endpoint, allowing unauthenticated remote attackers to access sensitive system configuration data due to missing authentication/authorization controls. Impact is indicated as high (CVSS v...

PT-2025-52240

Name of the Vulnerable Software and Affected Versions Open-WebUI versions through 0.6.32 Description An authentication bypass exists in the /api/config endpoint of Open-WebUI. The endpoint does not have sufficient authentication and authorization controls, potentially allowing unauthenticated...

Malicious code in @help_api/config (npm)

The package @helpapi/config was found to contain malicious code...

PT-2025-16783 · Apache · Apache Hertzbeat

Name of the Vulnerable Software and Affected Versions: Apache HertzBeat versions prior to 1.7.0 Description: The issue is a Server-Side Request Forgery SSRF vulnerability. It affects the Api Config Oss. Users are recommended to upgrade to version 1.7.0 to fix the issue. Recommendations: For...

CVE-2024-50334

Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...

Scoold 安全漏洞

Scoold is an open source team quiz and knowledge sharing platform by Erudika. Scoold suffers from a security vulnerability that stems from a semicolon path injection vulnerability found in the /api;/config endpoint, where by appending a semicolon to a URL, an attacker can bypass authentication an...

CVE-2024-29192

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The /api/config endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an...

PT-2024-22796

Name of the Vulnerable Software and Affected Versions: gotortc versions 1.8.5 and prior Description: The issue concerns a camera streaming application. It allows modification of the existing configuration with user-supplied values through the /api/config endpoint. Although this API only allows...

SUSE CVE-2017-15093

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. I...

DEBIAN-CVE-2017-15093

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. I...

UBUNTU-CVE-2017-15093

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. I...